Perfect! Thanks Daniel!

 

Thanks!

-kenny

 

 

From: <onap-tsc@...> on behalf of Alexis de Talhouet <adetalhouet89@...>
Reply-To: <onap-tsc@...>
Date: Friday, December 7, 2018 at 12:58 PM
To: Daniel Farrell <dfarrell@...>
Cc: Abhijit Kumbhare <abhijitkoss@...>, "<tsc@...>" <TSC@...>, <ONAP-TSC@...>
Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

 

Awesome. Thank you for the reminder Daniel. I’ll loop in that list.

 

Regards,

Alexis

On Dec 7, 2018, at 3:56 PM, Daniel Farrell <dfarrell@...> wrote:

 

No, this list is exactly meant for this type of secret information. It's the group of people the TSC has appointed as trusted to handle security issues. They will follow all the normal security embargo best practices.

 

Thanks,

Daniel

On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët <adetalhouet89@...> wrote:

Daniel,

 

Is the content of information provided through that mailing list publicly available? If yes, then I can’t provide the information to that list, as we don’t want to share publicly the vulnerabilities.

 

Alexis

 

On Dec 7, 2018, at 3:50 PM, Daniel Farrell <dfarrell@...> wrote:

 

Hey Alexis,

 

Reminder that we have a security response team that's meant to handle these types of things. Stephen is on the security response team, but you might still be better off sharing with that group vs Stephen and Michael directly. We asked for these details to be sent to that list months ago when ONAP folks first mentioned these scanning issues, but last time I talked to Stephen about it they still hadn't been sent.

 

security@...

 

We appreciate ONAP working with us to make sure we're the best upstream we can be. Looking forward to benefiting both projects by working together more closely.

Daniel

 

On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët <adetalhouet89@...> wrote:

Michael, Stephen, 

 

I sent you the information privately, as we should not share vulnerabilities publicly.

Please only distribute internally to PTL and/or TSC.

 

Regards,

Alexis

On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare <abhijitkoss@...> wrote:

 

Thanks Alexis, Stephen and Michael.

On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <adetalhouet89@...> wrote:

Michael, Stephen,

Thank you for prompt response. I’ll get clarification on the vulnerabilities we have identified and will come back to you on the points you mentioned.

Alexis

> On Dec 6, 2018, at 1:06 PM, Stephen Kitt <skitt@...> wrote:
>
> Hi Alexis,
>
> On Thu, 6 Dec 2018 17:57:29 +0100
> Michael Vorburger <vorburger@...> wrote:
>>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>> <adetalhouet89@...> wrote:
>>>
>>> Greeting ODL community, TSC,
>>>
>>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> need to eradicate critical vulnerabilities.
>>>
>>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> reports that were found in the ODL Oxygen SR3 distribution,
>>> documented here
>>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>>> document is high level information providing only the groupId of
>>> the maven artifact. I don’t have permission to see ODL projects in
>>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
>>> link directly reports here.
>>>
>>> Point is, we would like to know where ODL stands with regards to CII
>>> Badging; is that something you’re seeking?
>
> Not actively, but we do care about fixing vulnerabilities.
>
>>> Regardless, we would like to know if ODL is willing to address
>>> critical vulnerabilities impacting ONAP?
>
> Yes, we are.
>
>> I just had a (quick) look at wiki.onap.org, and was wondering if you
>> guys would be willing to help us help you more, by:
>>
>> - clarifying details about the vulnerability, like a link to a CVE
>
> +1
>
>> - first check out Fluorine or even better already Neon; at least some
>> of the Karaf related ones likely are already solved
>
> At least, check Oxygen SR4 when it’s available. I’m also not entirely
> sure how the analysis matches up with Oxygen SR3; for example, the
> version of Guava in SR3 is 23.6.1, which fixes the known
> vulnerabilities. CLM also flags a number of false positives, e.g.
> commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
>
>> - clarify where you found the artifact... there are (to me) some
>> surprises in your list; e.g. sendgrid or angular I wouldn't know
>> where that is used by what project in ODL
>
> +1
>
>> - dedupe your list - it looks a lot longer than it really is, many
>> dupes ;)
>
> I think this is because the artifacts aren’t fully described: we need
> the artifactId as well as the groupId, and ideally the version.
>
> Regards,
>
> Stephen

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

 

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

 

 

Hi,

 

Thanks. This maybe a good opportunity to point to this wiki for this process.  https://wiki.onap.org/display/DW/ONAP+Vulnerability+Management

 

This will be a good opportunity to test it out.

 

BR,

 

Steve

 

From: onap-tsc@... <onap-tsc@...> On Behalf Of Kenny Paul
Sent: Friday 7 December 2018 22:15
To: onap-tsc@...; Daniel Farrell <dfarrell@...>
Cc: Abhijit Kumbhare <abhijitkoss@...>; <tsc@...> <TSC@...>
Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

 

Perfect! Thanks Daniel!

 

Thanks!

-kenny

 

 

From: <onap-tsc@...> on behalf of Alexis de Talhouet <adetalhouet89@...>
Reply-To: <onap-tsc@...>
Date: Friday, December 7, 2018 at 12:58 PM
To: Daniel Farrell <dfarrell@...>
Cc: Abhijit Kumbhare <abhijitkoss@...>, "<tsc@...>" <TSC@...>, <ONAP-TSC@...>
Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

 

Awesome. Thank you for the reminder Daniel. I’ll loop in that list.

 

Regards,

Alexis

 

On Dec 7, 2018, at 3:56 PM, Daniel Farrell <dfarrell@...> wrote:

 

No, this list is exactly meant for this type of secret information. It's the group of people the TSC has appointed as trusted to handle security issues. They will follow all the normal security embargo best practices.

 

Thanks,

Daniel

On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët <adetalhouet89@...> wrote:

Daniel,

 

Is the content of information provided through that mailing list publicly available? If yes, then I can’t provide the information to that list, as we don’t want to share publicly the vulnerabilities.

 

Alexis

 

 

On Dec 7, 2018, at 3:50 PM, Daniel Farrell <dfarrell@...> wrote:

 

Hey Alexis,

 

Reminder that we have a security response team that's meant to handle these types of things. Stephen is on the security response team, but you might still be better off sharing with that group vs Stephen and Michael directly. We asked for these details to be sent to that list months ago when ONAP folks first mentioned these scanning issues, but last time I talked to Stephen about it they still hadn't been sent.

 

security@...

 

We appreciate ONAP working with us to make sure we're the best upstream we can be. Looking forward to benefiting both projects by working together more closely.

Daniel

 

On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët <adetalhouet89@...> wrote:

Michael, Stephen, 

 

I sent you the information privately, as we should not share vulnerabilities publicly.

Please only distribute internally to PTL and/or TSC.

 

Regards,

Alexis

 

On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare <abhijitkoss@...> wrote:

 

Thanks Alexis, Stephen and Michael.

On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <adetalhouet89@...> wrote:

Michael, Stephen,

Thank you for prompt response. I’ll get clarification on the vulnerabilities we have identified and will come back to you on the points you mentioned.

Alexis

> On Dec 6, 2018, at 1:06 PM, Stephen Kitt <skitt@...> wrote:
>
> Hi Alexis,
>
> On Thu, 6 Dec 2018 17:57:29 +0100
> Michael Vorburger <vorburger@...> wrote:
>>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>> <adetalhouet89@...> wrote:
>>>
>>> Greeting ODL community, TSC,
>>>
>>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> need to eradicate critical vulnerabilities.
>>>
>>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> reports that were found in the ODL Oxygen SR3 distribution,
>>> documented here
>>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>>> document is high level information providing only the groupId of
>>> the maven artifact. I don’t have permission to see ODL projects in
>>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
>>> link directly reports here.
>>>
>>> Point is, we would like to know where ODL stands with regards to CII
>>> Badging; is that something you’re seeking?
>
> Not actively, but we do care about fixing vulnerabilities.
>
>>> Regardless, we would like to know if ODL is willing to address
>>> critical vulnerabilities impacting ONAP?
>
> Yes, we are.
>
>> I just had a (quick) look at wiki.onap.org, and was wondering if you
>> guys would be willing to help us help you more, by:
>>
>> - clarifying details about the vulnerability, like a link to a CVE
>
> +1
>
>> - first check out Fluorine or even better already Neon; at least some
>> of the Karaf related ones likely are already solved
>
> At least, check Oxygen SR4 when it’s available. I’m also not entirely
> sure how the analysis matches up with Oxygen SR3; for example, the
> version of Guava in SR3 is 23.6.1, which fixes the known
> vulnerabilities. CLM also flags a number of false positives, e.g.
> commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
>
>> - clarify where you found the artifact... there are (to me) some
>> surprises in your list; e.g. sendgrid or angular I wouldn't know
>> where that is used by what project in ODL
>
> +1
>
>> - dedupe your list - it looks a lot longer than it really is, many
>> dupes ;)
>
> I think this is because the artifacts aren’t fully described: we need
> the artifactId as well as the groupId, and ideally the version.
>
> Regards,
>
> Stephen

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

 

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

 

 

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

Everyone, Daniel,

So I did send the mail to ODL security list, but message is getting held waiting for “moderator approval” 

Your mail to 'security' with the subject

   CII Badging - Vulnerabilities

Is being held until the list moderator can review it for approval.

The reason it is being held:

   Post by non-member to a members-only list

I don’t know if this is intended or not, but as there is no way to register to such list I’m wondering if I missed something..

Stephen T, in this case, I’m following ODL process are I’m reporting vulnerabilities to their project; vulnerabilities we have identified within ONAP as part of the CII Badging requirement.

Regards,

Alexis

On Dec 10, 2018, at 6:44 AM, Michael Vorburger <vorburger@...> wrote:

Hello everyone,

It's great to see that we do have a working formal security vulnerability disclosure process in place in ODL.

I'll therefore let the members of that strucuture deal with this. If I can be of any help for anything specific, please reach out to me.

Tx,

M.

--

Michael Vorburger, Red Hat
vorburger@... | IRC: vorburger @freenode | ~ = http://vorburger.ch

On Sun, Dec 9, 2018 at 2:52 AM Stephen Terrill <stephen.terrill@...> wrote:

Hi,

 

Thanks. This maybe a good opportunity to point to this wiki for this process.  https://wiki.onap.org/display/DW/ONAP+Vulnerability+Management

 

This will be a good opportunity to test it out.

 

BR,

 

Steve

 

From: onap-tsc@... <onap-tsc@...> On Behalf Of Kenny Paul
Sent: Friday 7 December 2018 22:15
To: onap-tsc@...; Daniel Farrell <dfarrell@...>
Cc: Abhijit Kumbhare <abhijitkoss@...>; <tsc@...> <TSC@...>
Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

 

Perfect! Thanks Daniel!

 

Thanks!

-kenny

 

 

From: <onap-tsc@...> on behalf of Alexis de Talhouet <adetalhouet89@...>
Reply-To: <onap-tsc@...>
Date: Friday, December 7, 2018 at 12:58 PM
To: Daniel Farrell <dfarrell@...>
Cc: Abhijit Kumbhare <abhijitkoss@...>, "<tsc@...>" <TSC@...>, <ONAP-TSC@...>
Subject: Re: [onap-tsc] [OpenDaylight TSC] CII Badging - Vulnerabilities

 

Awesome. Thank you for the reminder Daniel. I’ll loop in that list.

 

Regards,

Alexis

 

On Dec 7, 2018, at 3:56 PM, Daniel Farrell <dfarrell@...> wrote:

 

No, this list is exactly meant for this type of secret information. It's the group of people the TSC has appointed as trusted to handle security issues. They will follow all the normal security embargo best practices.

 

Thanks,

Daniel

On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët <adetalhouet89@...> wrote:

Daniel,

 

Is the content of information provided through that mailing list publicly available? If yes, then I can’t provide the information to that list, as we don’t want to share publicly the vulnerabilities.

 

Alexis

 

 

On Dec 7, 2018, at 3:50 PM, Daniel Farrell <dfarrell@...> wrote:

 

Hey Alexis,

 

Reminder that we have a security response team that's meant to handle these types of things. Stephen is on the security response team, but you might still be better off sharing with that group vs Stephen and Michael directly. We asked for these details to be sent to that list months ago when ONAP folks first mentioned these scanning issues, but last time I talked to Stephen about it they still hadn't been sent.

 

security@...

 

We appreciate ONAP working with us to make sure we're the best upstream we can be. Looking forward to benefiting both projects by working together more closely.

Daniel

 

On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët <adetalhouet89@...> wrote:

Michael, Stephen, 

 

I sent you the information privately, as we should not share vulnerabilities publicly.

Please only distribute internally to PTL and/or TSC.

 

Regards,

Alexis

 

On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare <abhijitkoss@...> wrote:

 

Thanks Alexis, Stephen and Michael.

On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <adetalhouet89@...> wrote:

Michael, Stephen,

Thank you for prompt response. I’ll get clarification on the vulnerabilities we have identified and will come back to you on the points you mentioned.

Alexis

> On Dec 6, 2018, at 1:06 PM, Stephen Kitt <skitt@...> wrote:
>
> Hi Alexis,
>
> On Thu, 6 Dec 2018 17:57:29 +0100
> Michael Vorburger <vorburger@...> wrote:
>>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët
>>> <adetalhouet89@...> wrote:
>>>
>>> Greeting ODL community, TSC,
>>>
>>> Within the ONAP community, we’re seeking CII badging. For that, we
>>> need to eradicate critical vulnerabilities.
>>>
>>> Few ONAP projects are depending on OpenDaylight artifacts, such as
>>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming
>>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM
>>> reports that were found in the ODL Oxygen SR3 distribution,
>>> documented here
>>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857. The
>>> document is high level information providing only the groupId of
>>> the maven artifact. I don’t have permission to see ODL projects in
>>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org, so I can't
>>> link directly reports here.
>>>
>>> Point is, we would like to know where ODL stands with regards to CII
>>> Badging; is that something you’re seeking?
>
> Not actively, but we do care about fixing vulnerabilities.
>
>>> Regardless, we would like to know if ODL is willing to address
>>> critical vulnerabilities impacting ONAP?
>
> Yes, we are.
>
>> I just had a (quick) look at wiki.onap.org, and was wondering if you
>> guys would be willing to help us help you more, by:
>>
>> - clarifying details about the vulnerability, like a link to a CVE
>
> +1
>
>> - first check out Fluorine or even better already Neon; at least some
>> of the Karaf related ones likely are already solved
>
> At least, check Oxygen SR4 when it’s available. I’m also not entirely
> sure how the analysis matches up with Oxygen SR3; for example, the
> version of Guava in SR3 is 23.6.1, which fixes the known
> vulnerabilities. CLM also flags a number of false positives, e.g.
> commons-fileupload (1.3.3 in SR3) which is fixed AFAIK.
>
>> - clarify where you found the artifact... there are (to me) some
>> surprises in your list; e.g. sendgrid or angular I wouldn't know
>> where that is used by what project in ODL
>
> +1
>
>> - dedupe your list - it looks a lot longer than it really is, many
>> dupes ;)
>
> I think this is because the artifacts aren’t fully described: we need
> the artifactId as well as the groupId, and ideally the version.
>
> Regards,
>
> Stephen

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

 

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

 

 

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

_______________________________________________
TSC mailing list
TSC@...
https://lists.opendaylight.org/mailman/listinfo/tsc

All,

 

One clarification I wanted to make, re: Robert’s question about the list we’d provided.

 

The Nexus IQ server also reports on third party libraries that are embedded within other jars.  For example, ODL Oxygen doesn’t ship netty 4.0.30, but the jar for narayana-osgi-jta contains that version of netty.  I can tell that because when I look at “Occurrences” of that library in the Nexus IQ Server report, I see this:

 

netty-all-4.0.30.Final.jar located at opendaylight/oxygen/target/docker-stage/karaf-0.8.3.tar.gz/karaf-0.8.3/system/org/jboss/narayana/osgi/narayana-osgi-jta/5.5.2.Final/narayana-osgi-jta-5.5.2.Final.jar

 

 

I really wish we could just share the report, but unfortunately Sonatype told us in no uncertain terms that sort of thing is a violation of their software license terms.

 

I just wanted to reassure you  all that I really did do my best to be careful about separating out the vulnerabilities we’re inheriting from ODL from any that we’re introducing ourselves.

 

Dan

-- 

Dan Timoney

SDN-CP Development

ONAP Project Technical Lead : CCSDK and SDNC

 

Please go to  D2 ECOMP Release Planning Wiki for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information.

 

 

From: Abhijit Kumbhare <abhijitkoss@...>
Date: Friday, February 8, 2019 at 11:06 AM
To: "onap-tsc@..." <onap-tsc@...>
Cc: Robert Varga <nite@...>, "TIMONEY, DAN" <dt5972@...>
Subject: Re: [OpenDaylight TSC] [onap-tsc] CII Badging - Vulnerabilities

 

Sure Alexis - I will add this to the agenda next week. Earlier this week Anil Belur was asking for the same to be on the agenda - but there was no time this week to have this.

 

On Fri, Feb 8, 2019 at 7:06 AM Alexis de Talhouet <adetalhouet89@...> wrote:

 

On Feb 8, 2019, at 10:00 AM, Brian <bf1936@...> wrote:

 

Since ONAP is Apache 2.0 and ODL is EPL we dont think we can build a distribution on the ONAP side that removes “ODL projects like TSDR, SXP

and similar”.   It would be awesome if ONAP could build its own distro but I dont think we know how to do that without tainting.

 

I tend to think we can. This is one of the things I want to discuss during ODL TSC when it is the good time.

 

Abhijit,

Can we postpone to next Thursday TSC meeting, key resource aren’t available this week to

have this discussion.

People for this topic will be, Dan, Taka, Pawel and myself.

Thanks,

Alexis

On Feb 11, 2019, at 3:02 PM, Abhijit Kumbhare <abhijitkoss@...> wrote:

For some reason, OpenDaylight TSC got dropped off this thread - added it back. Looking forward to talking with you guys Alexis and folks.

On Fri, Feb 8, 2019 at 11:38 AM TIMONEY, DAN <dt5972@...> wrote:

All,

 

One clarification I wanted to make, re: Robert’s question about the list we’d provided.

 

The Nexus IQ server also reports on third party libraries that are embedded within other jars.  For example, ODL Oxygen doesn’t ship netty 4.0.30, but the jar for narayana-osgi-jta contains that version of netty.  I can tell that because when I look at “Occurrences” of that library in the Nexus IQ Server report, I see this:

 

netty-all-4.0.30.Final.jar located at opendaylight/oxygen/target/docker-stage/karaf-0.8.3.tar.gz/karaf-0.8.3/system/org/jboss/narayana/osgi/narayana-osgi-jta/5.5.2.Final/narayana-osgi-jta-5.5.2.Final.jar

 

 

I really wish we could just share the report, but unfortunately Sonatype told us in no uncertain terms that sort of thing is a violation of their software license terms.

 

I just wanted to reassure you  all that I really did do my best to be careful about separating out the vulnerabilities we’re inheriting from ODL from any that we’re introducing ourselves.

 

Dan

-- 

Dan Timoney

SDN-CP Development

ONAP Project Technical Lead : CCSDK and SDNC

 

Please go to  D2 ECOMP Release Planning Wiki for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information.

 

 

From: Abhijit Kumbhare <abhijitkoss@...>
Date: Friday, February 8, 2019 at 11:06 AM
To: "onap-tsc@..." <onap-tsc@...>
Cc: Robert Varga <nite@...>, "TIMONEY, DAN" <dt5972@...>
Subject: Re: [OpenDaylight TSC] [onap-tsc] CII Badging - Vulnerabilities

 

Sure Alexis - I will add this to the agenda next week. Earlier this week Anil Belur was asking for the same to be on the agenda - but there was no time this week to have this.

 

On Fri, Feb 8, 2019 at 7:06 AM Alexis de Talhouet <adetalhouet89@...> wrote:

 

On Feb 8, 2019, at 10:00 AM, Brian <bf1936@...> wrote:

 

Since ONAP is Apache 2.0 and ODL is EPL we dont think we can build a distribution on the ONAP side that removes “ODL projects like TSDR, SXP

and similar”.   It would be awesome if ONAP could build its own distro but I dont think we know how to do that without tainting.

 

I tend to think we can. This is one of the things I want to discuss during ODL TSC when it is the good time.

 

Abhijit,

Can we postpone to next Thursday TSC meeting, key resource aren’t available this week to

have this discussion.

People for this topic will be, Dan, Taka, Pawel and myself.

Thanks,

Alexis

On Feb 11, 2019, at 3:02 PM, Abhijit Kumbhare <abhijitkoss@...> wrote:

For some reason, OpenDaylight TSC got dropped off this thread - added it back. Looking forward to talking with you guys Alexis and folks.

On Fri, Feb 8, 2019 at 11:38 AM TIMONEY, DAN <dt5972@...> wrote:

All,

 

One clarification I wanted to make, re: Robert’s question about the list we’d provided.

 

The Nexus IQ server also reports on third party libraries that are embedded within other jars.  For example, ODL Oxygen doesn’t ship netty 4.0.30, but the jar for narayana-osgi-jta contains that version of netty.  I can tell that because when I look at “Occurrences” of that library in the Nexus IQ Server report, I see this:

 

netty-all-4.0.30.Final.jar located at opendaylight/oxygen/target/docker-stage/karaf-0.8.3.tar.gz/karaf-0.8.3/system/org/jboss/narayana/osgi/narayana-osgi-jta/5.5.2.Final/narayana-osgi-jta-5.5.2.Final.jar

 

 

I really wish we could just share the report, but unfortunately Sonatype told us in no uncertain terms that sort of thing is a violation of their software license terms.

 

I just wanted to reassure you  all that I really did do my best to be careful about separating out the vulnerabilities we’re inheriting from ODL from any that we’re introducing ourselves.

 

Dan

-- 

Dan Timoney

SDN-CP Development

ONAP Project Technical Lead : CCSDK and SDNC

 

Please go to  D2 ECOMP Release Planning Wiki for D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and find key Release Planning Contact Information.

 

 

From: Abhijit Kumbhare <abhijitkoss@...>
Date: Friday, February 8, 2019 at 11:06 AM
To: "onap-tsc@..." <onap-tsc@...>
Cc: Robert Varga <nite@...>, "TIMONEY, DAN" <dt5972@...>
Subject: Re: [OpenDaylight TSC] [onap-tsc] CII Badging - Vulnerabilities

 

Sure Alexis - I will add this to the agenda next week. Earlier this week Anil Belur was asking for the same to be on the agenda - but there was no time this week to have this.

 

On Fri, Feb 8, 2019 at 7:06 AM Alexis de Talhouet <adetalhouet89@...> wrote:

 

On Feb 8, 2019, at 10:00 AM, Brian <bf1936@...> wrote:

 

Since ONAP is Apache 2.0 and ODL is EPL we dont think we can build a distribution on the ONAP side that removes “ODL projects like TSDR, SXP

and similar”.   It would be awesome if ONAP could build its own distro but I dont think we know how to do that without tainting.

 

I tend to think we can. This is one of the things I want to discuss during ODL TSC when it is the good time.